Sutherland is a proud Gold-Level sponsor of the NYU 35th Institute on State and Local Taxation on December 8-9, 2016, in New York, New York. The Sutherland SALT Team presents, and the details are below: Review and Preview of Federal Constitutional Issues
Speaker: Jeffrey A. Friedman Tax Attributes from a Unitary Business Perspective
Speaker: Marc A. Simonetti

Legal Alert: Out With the Old, in With the New – CIP Version 5 on the Horizon

April 23, 2013

Electric utilities and other generation and transmission companies will be subject to new cybersecurity standards under a proposed rule issued by the Federal Energy Regulatory Commission (FERC). FERC proposed to approve the long-awaited Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, which will overhaul the CIP regulatory framework and trigger new and revised compliance obligations for many users, owners and operators of the bulk electric system. While Version 5 establishes “a more robust cyber security posture for the industry,” FERC seeks input on certain ambiguous aspects of Version 5. Industry participants should both start their internal compliance reviews with a view toward meeting the final, approved Version 5 and also consider submitting comments to FERC.

Background

NERC is charged with developing Reliability Standards, enforceable upon FERC approval, to protect the reliability of the bulk electric system (BES),1 including the CIP Reliability Standards. NERC’s January 31, 2013, petition to FERC for approval of CIP Version 5 included 10 Reliability Standards containing 12 requirements with new cybersecurity controls, new and revised defined terms, violation risk factors and severity levels for assessing penalties for non-compliance, and an implementation plan.

Version 5 represents a drastic shift away from prior methodologies to identify assets subject to the cybersecurity requirements, including Version 4’s “bright-line” approach for identifying Critical Assets and associated Critical Cyber Assets. Version 5 adopts a new classification approach that requires each regulated entity to identify its BES Cyber Assets (the only assets subject to Version 5), logically group these assets into BES Cyber Systems, and classify the systems based on their reliability impact (Low, Medium or High) on the bulk electric system. Each BES Cyber System at a minimum will be classified as Low Impact. NERC outlines specific criteria related to facility ratings (generation capacity and voltage levels) to identify an asset’s reliability impact, focusing on the adverse impact that loss, compromise, or misuse of the BES Cyber System could have on the reliable operation of the bulk electric system. Once a responsible entity categorizes its BES Cyber Systems, it must then apply the CIP requirements associated with the impact level(s) identified.

Implementation

FERC proposes to transition from Version 3 directly to Version 5, which would result in Version 4 never going into effect. However, FERC questions NERC’s proposal to provide a 24-month implementation period for High and Medium Impact assets to comply with Version 5 and a 36-month period for Low Impact assets. NERC’s petition did not provide adequate justification for the proposed implementation periods. FERC therefore requests comments on the necessity of these transition periods, whether they could be shorter, and what activities must be completed to transition to Version 5.

“Identify, Assess, and Correct” Deficiencies

Seventeen of the Version 5 requirements instruct the regulated entity to “identify, assess, and correct” deficiencies. NERC explained that these requirements represent a performance expectation, not an enforceable element of Version 5. FERC found this language unclear as to both the regulated entity’s compliance obligations and the requirement’s enforceability as a Reliability Standard. For example, FERC was not sure whether an entity is obligated only to “identify, assess, and correct” deficiencies or if it must also comply with the underlying requirement. Additionally, NERC did not provide a time frame to identify, assess, and correct deficiencies, nor explain how prior deficiencies will factor into an entity’s compliance history. FERC also found the language overly vague and requested further clarity on the meaning of terminology used. Ultimately, FERC may direct NERC to modify this language or remove it entirely based on comments received.

Low Impact Cybersecurity Protections

FERC found that proposed Requirement 2 of CIP-003-4, which is the only requirement applicable to Low Impact facilities, was ambiguous and could potentially result in inconsistent and inefficient Version 5 implementation. The requirement requires documented policies but fails to require implementation of substantive cybersecurity protections, and thereby provides an insufficient roadmap for protecting Low Impact BES Cyber Systems. FERC proposed to direct NERC to modify Requirement 2 to require that entities adopt specific, technically supported cybersecurity controls for Low Impact assets, as well as maintain a list of these assets.

Protecting Communication Systems

FERC’s proposal highlights the need to protect communication systems. FERC supports adopting cryptography, including encryption and integrity checks, to further communication protections under Version 5. FERC took issue with NERC’s proposal to remove “communication networks” from the definition of Cyber Assets, which FERC viewed as effectively exempting communication networks from Version 5 oversight. FERC requests comments on whether these networks should be covered and if Version 5 adequately protects non-routable communication systems.

Reliability Impact Categorization

FERC questions NERC’s proposed categorization methodology, which focuses on an asset’s reliability impact based on facility ratings, such as generation capacity and voltage levels. FERC is concerned that this approach does not address cybersecurity as comprehensively as the National Institute of Standards and Technology’s Risk Management Framework, which categorizes assets based on the loss of confidentiality, integrity, and availability of systems. While FERC opted not to require changes to this aspect of the petition, FERC may revisit NERC’s approach in the future.

What It Means for You

FERC’s proposal to adopt Version 5 and skip Version 4 should provide welcome relief to regulated entities struggling to develop internal compliance plans. Still, regulated entities should not delay internal reviews to understand Version 5 and its impact on their compliance plans. Importantly, the implementation period for complying with Version 5 may be shortened from what was expected in the Version 5 stakeholder process. Additionally, Low Impact assets should not be overlooked in the development of compliance plans because they may face a more structured and burdensome compliance obligation. The requirement to “identify, assess, and correct” deficiencies also may gain teeth in the final CIP Version 5 that is adopted. For these reasons, interested parties should consider submitting comments on FERC’s proposed approval of Version 5.

1 In a rehearing order also issued April 18, FERC granted rehearing in part and otherwise reaffirmed its approval of a modified definition of “bulk electric system.” See Revisions to Electric Reliability Organization Definition of Bulk Electric System and Rules of Procedure, Order No. 773-A, 143 FERC ¶ 61,053 (2013).

If you have any questions about this Legal Alert, please feel free to contact the attorneys listed or the Sutherland attorney with whom you regularly work.

Our Story

Sutherland Asbill & Brennan LLP is an international law firm helping the Fortune 100, industry leaders, sector innovators and business entrepreneurs solve their biggest challenges and reach their business goals. Dedicated to unfaltering excellence in client service, we are known for our business savvy and industry intelligence, providing creative and custom solutions for each of our clients. Industry and business experience makes the difference for our clients.

"Sutherland Asbill & Brennan" is an international legal practice carried on by Sutherland Asbill & Brennan LLP in the United States, with offices in Atlanta, Washington, DC, New York, Houston, Austin and Sacramento (Sutherland U.S.), and its affiliated practice Sutherland (Europe) LLP in London and Geneva. Sutherland (Europe) LLP is a Limited Liability Partnership incorporated in England and Wales with registered number OC348198. Sutherland U.S. and Sutherland (Europe) LLP work together as a closely integrated international network but are independent, separately constituted and separately regulated legal entities which provide legal and other client services in accordance with the relevant laws of the jurisdictions in which they respectively operate. Sutherland U.S. attorneys are subject to bar rules in the jurisdictions where Sutherland U.S. practices. Sutherland (Europe) LLP is authorized and regulated by the Solicitors Regulation Authority.ATTORNEY ADVERTISING - Prior results do not guarantee a similar outcome. Mark D. Wasserman is the attorney responsible for the content of this website.Unless otherwise indicated, attorneys at Sutherland Asbill & Brennan LLP are not certified by the Texas Board of Legal Specialization.